Speaker: Shengzhi Zhang 

Title: Cross-Layer Comprehensive Intrusion Harm Analysis for
Production Workload Server Systems

Abstract

Analyzing the (harm of) intrusion to enterprise servers is an onerous
and error-prone work. Though dynamic taint track- ing enables
automatic fine-grained intrusion harm analysis for enterprise servers,
the significant runtime overhead introduced is generally intolerable
in the production workload environment. Thus, we propose PEDA
(Production Environment Damage Analysis) system, which decouples the
onerous analysis work from the online execution of the production
servers.  Once compromised, the "has-been-infected" execution is
analyzed during high fidelity replay on a separate instrumentation
platform.  The replay is implemented based on the heterogeneous
virtual machine migration. The servers' online execution runs atop
fast hardware-assisted virtual machines (such as Xen for near native
speed), while the infected execution is replayed atop binary
instrumentation virtual machines (such as Qemu for the implementation
of taint analysis). From identified intrusion symptoms, PEDA is
capable of locating the fine-grained taint seed by integrating the
backward system call dependency tracking and one-step-forward taint
information flow auditing.  Started with the fine-grained taint seed,
PEDA applies dynamic taint analysis during the replayed
execution. Evaluation demonstrates the efficiency of PEDA system with
runtime overhead as low as 5%. The real-life intrusion studies
successfully show the comprehensiveness and the precision of PEDA's
intrusion harm analysis.